Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot delete Azure DPS using Service Principal #3955

Closed
ghost opened this issue Jul 29, 2019 · 4 comments
Closed

Cannot delete Azure DPS using Service Principal #3955

ghost opened this issue Jul 29, 2019 · 4 comments

Comments

@ghost
Copy link

ghost commented Jul 29, 2019

This issue was originally opened by @ezhaar as hashicorp/terraform#22228. It was migrated here as a result of the provider split. The original body of the issue is below.

Terraform Version

Terraform v0.12.5
+ provider.azurerm v1.32.0

Terraform Configuration Files

provider "azurerm" {
version           = "=1.32.0"
tenant_id         = "tenant_id"
subscription_id   = "subscription_id"
client_id         = "client_id"
client_secret     = "client_secret"
}
resource "azurerm_resource_group" "testrg" {
  name     = "tf-test-rg"
  location = "northeurope"
}

resource "azurerm_iot_dps" "dps" {
  name                = "tf-test-dps2"
  resource_group_name = "${azurerm_resource_group.testrg.name}"
  location            = "northeurope"
  sku {
    name     = "S1"
    tier     = "Standard"
    capacity = "1"
  }
}

Expected Behavior

terraform destroy should succeed

Actual Behavior

$ terraform destroy 
...
- destroy
Terraform will perform the following actions:
# azurerm_iot_dps.dps will be destroyed
- resource "azurerm_iot_dps" "dps" {
- id                  = "/subscriptions/<subscription_id>/resourceGroups/tf-test-rg/providers/Microsoft.Devices/provisioningServices/tf-test-dps" -> null
- location            = "northeurope" -> null
- name                = "tf-test-dps" -> null
- resource_group_name = "tf-test-rg" -> null
- tags                = {} -> null
- sku {
- capacity = 1 -> null
- name     = "S1" -> null
- tier     = "Standard" -> null
}
}
# azurerm_resource_group.testrg will be destroyed
- resource "azurerm_resource_group" "testrg" {
- id       = "/subscriptions/<subscription_id>/resourceGroups/tf-test-rg" -> null
- location = "northeurope" -> null
- name     = "tf-test-rg" -> null
- tags     = {} -> null
}
Plan: 0 to add, 0 to change, 2 to destroy.
Do you really want to destroy all resources?
Terraform will destroy all your managed infrastructure, as shown above.
There is no undo. Only 'yes' will be accepted to confirm.
Enter a value: yes
azurerm_iot_dps.dps: Destroying... [id=/subscriptions/<subscription_id>/resourceGroups/tf-test-rg/providers/Microsoft.Devices/provisioningServices/tf-test-dps]

Error: Error deleting IoT Device Provisioning Service "tf-test-dps" 
(Resource Group "tf-test-rg"): iothub.IotDpsResourceClient#Delete: Failure sending request: StatusCode=403 -- 

Original Error: Code="AuthorizationFailed" Message="The client '<object_id>' with object id '<object_id>' does not have authorization to perform action 'Microsoft.Devices/provisioningServices/delete' over scope '/subscriptions/<subscription_id>/resourceGroups/tf-test-dps/providers/Microsoft.Devices/provisioningServices/tf-test-rg' or the scope is invalid. If access was recently granted, please refresh your credentials."

The scope is wrong i.e.
/subscriptions/<subscription_id>/resourceGroups/tf-test-dps/providers/Microsoft.Devices/provisioningServices/tf-test-rg
should be
/subscriptions/<subscription_id>/resourceGroups/tf-test-rg/providers/Microsoft.Devices/provisioningServices/tf-test-dps
The names of the resource group and dps instance are in the wrong position and must be swapped.

Steps to Reproduce

## Create a RG and assign a service principal as the Owner of the RG  
$ az login 
$ az group create -l northeurope --name tf-test-rg --subscription <subscription_id>
$ az ad sp create-for-rbac -n "test-sp" --role Owner --scopes /subscriptions/<subscription_id>/resourceGroups/tf-test-rg
$ terraform init
$ terraform apply 
$ terraform destroy

Additional Context

The DPS can be deleted using the same client_id from the CLI

$ az login --service-principal -u <client_id> -p <passwd> -t <tenant_id> 
$ az iot dps delete --name tf-teest-dps -g tf-test-rg
@ghost ghost mentioned this issue Jul 29, 2019
Closed
@mbfrahry
Copy link
Member

Hey @ezhaar, I'm unable to reproduce this with the information you provided. Do you mind running through this again with TF_LOG=1 and posting the log information you receive.

@ezhaar
Copy link

ezhaar commented Jul 30, 2019

@mbfrahry I have tested this with several SP's and I can reproduce the bug every time. Debug logs are here: https://gist.github.com/ezhaar/e744ec8065638e20718901bf4776a673 (removed tenant, subscription and client ids)

@mbfrahry mbfrahry mentioned this issue Jul 30, 2019
Merged
@mbfrahry
Copy link
Member

Hey @ezhaar, found and fixed! Thanks for submitting the logs. This will go out in the next release

@ghost
Copy link
Author

ghost commented Aug 30, 2019

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!

@ghost ghost locked and limited conversation to collaborators Aug 30, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ezhaar @mbfrahry